Merge pull request #2149 from OTRF/feature/Sysmon-For-Linux-Rules

OTR - Migrating rules to Sysmon for Linux schema :)

rules/linux/file_create/cron_files.yml

@@ -0,0 +1,33 @@
+title: Cron Files
+id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
+status: experimental
+description: Detects creation of cron files or files in Cron directories. Potential persistence.
+date: 2021/10/15
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+tags:
+    - attack.persistence
+    - attack.t1053.003
+references:
+   - https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
+logsource:
+   product: linux
+   category: file_create
+detection:
+   selection1:
+      TargetFilename|startswith:
+         - '/etc/cron.d/'
+         - '/etc/cron.daily/'
+         - '/etc/cron.hourly/'
+         - '/etc/cron.monthly/'
+         - '/etc/cron.weekly/'
+         - '/var/spool/cron/crontabs/'
+   selection2:   
+      TargetFilename|contains:
+         - '/etc/cron.allow'
+         - '/etc/cron.deny'
+         - '/etc/crontab'
+   condition: selection1 or selection2
+falsepositives:
+   - Any legitimate cron file.
+level: medium
+            

rules/linux/process_creation/at_command.yml

@@ -11,7 +11,7 @@ logsource:
     category: process_creation
 detection:
     selection:
-        ProcessName|endswith:
+        Image|endswith:
           - '/at'
           - '/atd'
     condition: selection

rules/linux/process_creation/clear_syslog.yml

@@ -0,0 +1,28 @@
+title: Commands to Clear or Remove the Syslog
+id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
+status: experimental
+description: Detects specific commands commonly used to remove or empty the syslog.
+date: 2021/10/15
+author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+tags:
+   - attack.impact
+   - attack.t1565.001
+references:
+   - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_clear_syslog.yml
+logsource:
+   product: linux
+   category: process_creation
+detection:
+   selection:
+      CommandLine|contains:
+         - 'rm /var/log/syslog'
+         - 'rm -r /var/log/syslog'
+         - 'rm -f /var/log/syslog'
+         - 'rm -rf /var/log/syslog'
+         - 'mv /var/log/syslog'
+         - ' >/var/log/syslog'
+         - ' > /var/log/syslog'
+   condition: selection
+falsepositives:
+   - Log rotation.
+level: high

rules/linux/process_creation/clipboard_collection.yml

@@ -0,0 +1,31 @@
+title: Clipboard Collection with Xclip Tool
+id: ec127035-a636-4b9a-8555-0efd4e59f316
+status: experimental
+description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
+date: 2021/10/15
+author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+tags:
+    - attack.impact
+    - attack.t1485
+references:
+   - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml
+logsource:
+   product: linux
+   category: process_creation
+detection:
+    selection1:
+      Image|contains: 'xclip'
+    selection2:
+      CommandLine|contains:
+        - '-selection'
+        - '-sel'
+    selection3:
+      CommandLine|contains:
+        - 'clipboard'
+        - 'clip'
+    selection4:
+      CommandLine|contains: '-o'
+    condition: selection1 and selection2 and selection3 and selection4
+falsepositives:
+   - Legitimate usage of xclip tools.
+level: low

rules/linux/process_creation/dd_file_overwrite.yml

@@ -0,0 +1,27 @@
+title: DD File Overwrite
+id: 2953194b-e33c-4859-b9e8-05948c167447
+status: experimental
+description: Detects potential overwriting and deletion of a file using DD.
+date: 2021/10/15
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+tags:
+    - attack.impact
+    - attack.t1485
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
+logsource:
+   product: linux
+   category: process_creation
+detection:
+   selection1:
+      Image: '/bin/dd'
+   selection2:   
+      CommandLine|contains: 'of='
+   selection3:
+      CommandLine|contains:
+         - 'if=/dev/zero'
+         - 'if=/dev/null'
+   condition: selection1 and selection2 and selection3
+falsepositives:
+   - Any user deleting files that way.
+level: low

rules/linux/process_creation/omigod_scx_runasprovider_executescript.yml

@@ -0,0 +1,30 @@
+title: OMIGOD SCX RunAsProvider ExecuteScript
+id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
+status: experimental
+description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
+date: 2021/10/15
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+tags:
+    - attack.privilege_escalation
+    - attack.initial_access
+    - attack.execution
+    - attack.t1068
+    - attack.t1190
+    - attack.t1203
+references:
+   - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
+   - https://github.com/Azure/Azure-Sentinel/pull/3059
+   - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml
+logsource:
+   product: linux
+   category: process_creation
+detection:
+    selection:
+        user: root
+        LogonId: '0'
+        CurrentDirectory: '/var/opt/microsoft/scx/tmp'
+        CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
+    condition: selection
+falsepositives:
+    - Legitimate use of SCX RunAsProvider ExecuteScript.
+level: high

rules/linux/process_creation/omigod_scx_runasprovider_executeshellcommand.yml

@@ -0,0 +1,30 @@
+title: OMIGOD SCX RunAsProvider ExecuteShellCommand
+id: 21541900-27a9-4454-9c4c-3f0a4240344a
+status: experimental
+description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
+date: 2021/10/15
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+tags:
+    - attack.privilege_escalation
+    - attack.initial_access
+    - attack.execution
+    - attack.t1068
+    - attack.t1190
+    - attack.t1203
+references:
+   - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
+   - https://github.com/Azure/Azure-Sentinel/pull/3059
+   - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml
+logsource:
+   product: linux
+   category: process_creation
+detection:
+    selection:
+        user: root
+        LogonId: '0'
+        CurrentDirectory: '/var/opt/microsoft/scx/tmp'
+        CommandLine|contains: '/bin/sh'
+    condition: selection
+falsepositives:
+    - Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
+level: high